• Skip to primary navigation
  • Skip to content
  • Skip to primary sidebar
  • Skip to footer

Sucuri Blog

Website Security News

  • Products
    • Website Security Platform
    • Website Firewall (WAF)
    • Enterprise Website Security
    • Multisite Solutions
  • Features
    • Detection
    • Protection
    • Performance
    • Response
    • Backups
  • Partners
    • Agency Solutions
    • Partners
    • Referral Program
    • Ecommerce
  • Resources
    • Guides
    • Webinars
    • Infographics
    • SiteCheck
    • Reports
    • Email Courses
  • Immediate Help
  • Login

SFTP/FTP Password Exposure via sftp-config.json

November 23, 2012Daniel Cid

0
SHARES
FacebookTwitterSubscribe

Have you heard of the file sftp-config.json? You haven’t? Neither did we until a few weeks ago.

It is used by some SFTP/FTP clients (Sublime SFTP is one) to pre-configure SFTP/FTP connections to remote sites and it contains some useful information in there (not encrypted):

“type”: “ftp”,
..
“host”: “FTP HOST”,
“user”: “FTP USER”,
“password”: “FTP PASS”,
“port”: “21”,

Which makes a lot easier to connect and manage remote servers. However, with extra flexibility comes some serious security issues if not used properly.

First, your user and pass are not encrypted locally. Second, if you upload this file remotely, anyone will be able to see your FTP/SFTP user and password.

Nobody would do that, would they? Well, We decided to check how many sites have the sftp-config.json exposed and And hundreds of them do. And we are talking about the TOP 1m web site list (according to Alexa). We will not list the exposed sites for obvious reasons, but the number is high enough that we need to shed some light on this issue. Yes, we already emailed them to warn them about the problem; hopefully they will all act on that soon.

Checking if a site is vulnerable

A simple way to check if your site is exposing the credentials via sftp-config.json is to just query it via curl:

$ curl -D – site.com/sftp-config.json

// The tab key will cycle through the settings when first create
// sftp, ftp or ftps
“type”: “ftp”,
“save_before_upload”: true,
“upload_on_save”: true,
..

And if you find an output similar to the one above, you know it is vulnerable.

Another easy way to query for this issue is to search on Google for “tab key will cycle through the settings” (common header at the top of the file) or sftp-config.json and you will find passwords in pastebins, github repositories and other places. However, not as much success compared to when you query it directly on the sites.

Solution

The solution is simple, just make sure you never push your FTP settings to remote servers. If you think your site is compromised already, you can scan it on our sitecheck scanner: http://sitecheck.sucuri.net

0
SHARES
FacebookTwitterSubscribe

Categories: Security Education, Vulnerability DisclosureTags: Passwords

About Daniel Cid

Daniel B. Cid is Founder of Sucuri and the VP of Engineering for the GoDaddy Security Products group. He is also the founder of OSSEC and CleanBrowsing. You can find more about Daniel on his site dcid.me or on Twitter: @danielcid

Reader Interactions

Comments

  1. Cathy Tibbles

    November 23, 2012

    How do I tell if my FTP client (Filezilla) does this?

    • golfpapa

      November 24, 2012

      If saving passwords is enabled (Kiosk mode = 0 in %APPDATA%filezillafilezilla.xml) then FileZilla stores credentials in plaintext in %APPDATA%filezillarecentservers.xml. Read why: http://forum.filezilla-project.org/viewtopic.php?f=3&t=17932#p70293.

  2. Dylan Kinnett

    February 21, 2014

    It would also help if the clients, such as Sublime’s SFTP, would offer an option to store this sensitive file away from the files that belong on the server. Does anyone know whether this is possible?

Primary Sidebar

Socialize With Sucuri

We're actively engaged across multiple platforms. Follow us and let's connect!

  • Facebook
  • Twitter
  • LinkedIn
  • YouTube
  • Instagram
  • RSS Feed

How to Clean a Hacked Website Guide

Join Over 20,000 Subscribers!

Footer

Products

  • Website Firewall
  • Website AntiVirus
  • Website Backups
  • WordPress Security
  • Enterprise Services

Solutions

  • DDos Protection
  • Malware Detection
  • Malware Removal
  • Malware Prevention
  • Blacklist Removal

Support

  • Blog
  • Knowledge Base
  • SiteCheck
  • Research Labs
  • FAQ

Company

  • About
  • Media
  • Events
  • Employment
  • Contact
  • Testimonials
  • Facebook
  • Twitter
  • LinkedIn
  • Instagram

Customer Login

Sucuri Home

  • Terms of Use
  • Privacy Policy
  • Frequently Asked Questions

© 2021 Sucuri Inc. All rights reserved

Sucuri Cookie Policy
See our policy>>

Our website uses cookies, which help us to improve our site and enables us to deliver the best possible service and customer experience.